qos pre-classify is used to identify ip header information before it passes through a tunnel (encrypted or unencrypted) for qos purposes. depending on tunnel-type, a certain amount of header information is copied, and then applied to the tunnel header, so QoS information is available as it passes through the tunnel network. Without pre-classification, the QoS bits are lost in encryption and/or packet encapsulation.
If the before encapsulation packets have TOS settings that you want to "analyze" after the packets have been encapsulated with a VPN packet, then you can use pre-classify to copy the TOS values to the VPN packet's TOS. NB: The copied TOS can be overwritten, but that won't change the original packet's TOS.
E.g. you have VoIP packets marked with TOS values (perhaps a DSCP EF) so QoS can give them better treatment. If the original packet's TOS isn't copied to the VPN packet's TOS, QoS could no longer tell the difference between VoIP packets and FTP packets since they are now likely to be encrypted. (Pre-Classify is the command to cause the copy.)
Joseph - your version seemed a little clearer. I now understand when to 'apply' the command. However, in some ONT guides, they also give reason when not to apply the command to a tunnel interface or even more confusing - when to apply a service-policy command to an interface only when using QoS for VPNs.
can you shed any light on either of the later scenarios?
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful
I'm wondering whether part of the confusion might be where you need to apply the command for it to be actually effective.
If, however, the question is why you wouldn't want to use the command, two possible reasons come to mind. First, you know nothing actually processes the TOS later on, so using the command doesn't accomplish anything and perhaps by not using it avoids a performance hit. Second, your encapsulated packets are to be treated as a class (or part of a class) themselves, not by their original contents.
If you have any URL references that I could see, that appear unclear, I might be able to comment further.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :